Do not send repeated Expect-CT reports to the same host+port

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 #include <vector>
@@ skipping 25 matching lines @@
 #include "base/metrics/field_trial.h"
 #endif
 
 namespace net {
 
 namespace {
 
 #include "net/http/transport_security_state_ct_policies.inc"
 #include "net/http/transport_security_state_static.h"
 
-const size_t kMaxHPKPReportCacheEntries = 50;
-const int kTimeToRememberHPKPReportsMins = 60;
+// Parameters for remembering sent HPKP and Expect-CT reports.
+const size_t kMaxReportCacheEntries = 50;
+const int kTimeToRememberReportsMins = 60;
 const size_t kReportCacheKeyLength = 16;
 
 // Points to the active transport security state source.
 const TransportSecurityStateSource* g_hsts_source = &kHSTSSource;
 
 // Override for CheckCTRequirements() for unit tests. Possible values:
 //  -1: Unless a delegate says otherwise, do not require CT.
 //   0: Use the default implementation (e.g. production)
 //   1: Unless a delegate says otherwise, require CT.
 int g_ct_required_for_testing = 0;
@@ skipping 677 matching lines @@
 void SetTransportSecurityStateSourceForTesting(
     const TransportSecurityStateSource* source) {
   g_hsts_source = source ? source : &kHSTSSource;
 }
 
 TransportSecurityState::TransportSecurityState()
     : enable_static_pins_(true),
       enable_static_expect_ct_(true),
       enable_static_expect_staple_(true),
       enable_pkp_bypass_for_local_trust_anchors_(true),
-      sent_reports_cache_(kMaxHPKPReportCacheEntries) {
+      sent_hpkp_reports_cache_(kMaxReportCacheEntries),
+      sent_expect_ct_reports_cache_(kMaxReportCacheEntries) {
 // Static pinning is only enabled for official builds to make sure that
 // others don't end up with pins that cannot be easily updated.
 #if !defined(GOOGLE_CHROME_BUILD) || defined(OS_ANDROID) || defined(OS_IOS)
   enable_static_pins_ = false;
   enable_static_expect_ct_ = false;
 #endif
   DCHECK(CalledOnValidThread());
 }
 
 // Both HSTS and HPKP cause fatal SSL errors, so return true if a
@@ skipping 127 matching lines @@
     return CT_REQUIREMENTS_MET;
   }
 
   // Check Expect-CT first so that other CT requirements do not prevent
   // Expect-CT reports from being sent.
   ExpectCTState state;
   if (is_issued_by_known_root && IsDynamicExpectCTEnabled() &&
       GetDynamicExpectCTState(hostname, &state)) {
     if (expect_ct_reporter_ && !state.report_uri.is_empty() &&
         report_status == ENABLE_EXPECT_CT_REPORTS) {
-      expect_ct_reporter_->OnExpectCTFailed(
+      MaybeNotifyExpectCTFailed(
           host_port_pair, state.report_uri, validated_certificate_chain,
           served_certificate_chain, signed_certificate_timestamps);
     }
     if (state.enforce)
       return CT_REQUIREMENTS_NOT_MET;
   }
 
   CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT;
   if (require_ct_delegate_)
     ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname);
@@ skipping 256 matching lines @@
   std::string serialized_report;
   std::string report_cache_key;
   if (!GetHPKPReport(host_port_pair, pkp_state, served_certificate_chain,
                      validated_certificate_chain, &serialized_report,
                      &report_cache_key)) {
     return PKPStatus::VIOLATED;
   }
 
   // Limit the rate at which duplicate reports are sent to the same
   // report URI. The same report will not be sent within
-  // |kTimeToRememberHPKPReportsMins|, which reduces load on servers and
+  // |kTimeToRememberReportsMins|, which reduces load on servers and
   // also prevents accidental loops (a.com triggers a report to b.com
   // which triggers a report to a.com). See section 2.1.4 of RFC 7469.
-  if (sent_reports_cache_.Get(report_cache_key, base::TimeTicks::Now()))
+  if (sent_hpkp_reports_cache_.Get(report_cache_key, base::TimeTicks::Now()))
     return PKPStatus::VIOLATED;
-  sent_reports_cache_.Put(
+  sent_hpkp_reports_cache_.Put(
       report_cache_key, true, base::TimeTicks::Now(),
       base::TimeTicks::Now() +
-          base::TimeDelta::FromMinutes(kTimeToRememberHPKPReportsMins));
+          base::TimeDelta::FromMinutes(kTimeToRememberReportsMins));
 
   report_sender_->Send(pkp_state.report_uri, "application/json; charset=utf-8",
                        serialized_report, base::Callback<void()>(),
                        base::Bind(RecordUMAForHPKPReportFailure));
   return PKPStatus::VIOLATED;
 }
 
 bool TransportSecurityState::GetStaticExpectCTState(
     const std::string& host,
     ExpectCTState* expect_ct_state) const {
   DCHECK(CalledOnValidThread());
 
   if (!IsBuildTimely())
     return false;
 
   PreloadResult result;
   if (!DecodeHSTSPreload(host, &result))
     return false;
 
   if (!enable_static_expect_ct_ || !result.expect_ct)
     return false;
 
   expect_ct_state->domain = host.substr(result.hostname_offset);
   expect_ct_state->report_uri = GURL(
       g_hsts_source->expect_ct_report_uris[result.expect_ct_report_uri_id]);
   return true;
 }
 
+void TransportSecurityState::MaybeNotifyExpectCTFailed(
+    const HostPortPair& host_port_pair,
+    const GURL& report_uri,
+    const X509Certificate* validated_certificate_chain,
+    const X509Certificate* served_certificate_chain,
+    const SignedCertificateTimestampAndStatusList&
+        signed_certificate_timestamps) {
+  // Do not send repeated reports to the same host/port pair within
+  // |kTimeToRememberReportsMins|. Theoretically, there could be scenarios in
+  // which the same host/port generates different reports and it would be useful
+  // to the server operator to receive those different reports, but such
+  // scenarios are not expected to arise very often in practice.
+  const std::string report_cache_key(host_port_pair.ToString());
+  if (sent_expect_ct_reports_cache_.Get(report_cache_key,
+                                        base::TimeTicks::Now())) {
+    return;
+  }
+  sent_expect_ct_reports_cache_.Put(
+      report_cache_key, true, base::TimeTicks::Now(),
+      base::TimeTicks::Now() +
+          base::TimeDelta::FromMinutes(kTimeToRememberReportsMins));
+
+  expect_ct_reporter_->OnExpectCTFailed(
+      host_port_pair, report_uri, validated_certificate_chain,
+      served_certificate_chain, signed_certificate_timestamps);
+}
+
 bool TransportSecurityState::GetStaticExpectStapleState(
     const std::string& host,
     ExpectStapleState* expect_staple_state) const {
   DCHECK(CalledOnValidThread());
 
   if (!IsBuildTimely())
     return false;
 
   PreloadResult result;
   if (!DecodeHSTSPreload(host, &result))
@@ skipping 224 matching lines @@
       return;
     if (!ssl_info.is_issued_by_known_root)
       return;
     if (!ssl_info.ct_compliance_details_available)
       return;
     if (ssl_info.ct_cert_policy_compliance ==
         ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)
       return;
     ExpectCTState state;
     if (GetStaticExpectCTState(host_port_pair.host(), &state)) {
-      expect_ct_reporter_->OnExpectCTFailed(
-          host_port_pair, state.report_uri, ssl_info.cert.get(),
-          ssl_info.unverified_cert.get(),
-          ssl_info.signed_certificate_timestamps);
+      MaybeNotifyExpectCTFailed(host_port_pair, state.report_uri,
+                                ssl_info.cert.get(),
+                                ssl_info.unverified_cert.get(),
+                                ssl_info.signed_certificate_timestamps);
     }
     return;
   }
 
   // Otherwise, see if the site has sent a valid Expect-CT header to dynamically
   // turn on reporting and/or enforcement.
   if (!IsDynamicExpectCTEnabled())
     return;
   base::Time now = base::Time::Now();
   base::TimeDelta max_age;
@@ skipping 12 matching lines @@
     ExpectCTState state;
     // If an Expect-CT header is observed over a non-compliant connection, the
     // site owner should be notified about the misconfiguration. If the site was
     // already opted in to Expect-CT, this report would have been sent at
     // connection setup time. If the host is not already a noted Expect-CT host,
     // however, the lack of CT compliance would not have been evaluated/reported
     // at connection setup time, so it needs to be reported here while
     // processing the header.
     if (expect_ct_reporter_ && !report_uri.is_empty() &&
         !GetDynamicExpectCTState(host_port_pair.host(), &state)) {
-      expect_ct_reporter_->OnExpectCTFailed(
-          host_port_pair, report_uri, ssl_info.cert.get(),
-          ssl_info.unverified_cert.get(),
-          ssl_info.signed_certificate_timestamps);
+      MaybeNotifyExpectCTFailed(host_port_pair, report_uri, ssl_info.cert.get(),
+                                ssl_info.unverified_cert.get(),
+                                ssl_info.signed_certificate_timestamps);
     }
     return;
   }
   AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce,
                       report_uri);
 }
 
 // static
 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) {
   if (!required) {
     g_ct_required_for_testing = 0;
     return;
   }
   g_ct_required_for_testing = *required ? 1 : -1;
 }
 
+void TransportSecurityState::ClearReportCachesForTesting() {
+  sent_hpkp_reports_cache_.Clear();
+  sent_expect_ct_reports_cache_.Clear();
+}
+
 // static
 bool TransportSecurityState::IsBuildTimely() {
   const base::Time build_time = base::GetBuildTime();
   // We consider built-in information to be timely for 10 weeks.
   return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 }
 
 TransportSecurityState::PKPStatus
 TransportSecurityState::CheckPublicKeyPinsImpl(
     const HostPortPair& host_port_pair,
@@ skipping 312 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace